-
Notifications
You must be signed in to change notification settings - Fork 920
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Govc client cannot validate server based on thumbprint when proxy is configured #2494
Comments
Howdy 🖐 hanlins ! Thank you for your interest in this project. We value your feedback and will respond soon. If you want to contribute to this project, please make yourself familiar with the |
Seems this is a known issue: Lines 122 to 125 in 18b53fd
Are we expecting a fix for this issue? @dougm |
We use a custom http.Transport.DialTLS function to implement the thumbprint check, but that does not apply to proxy connections. Looks like we'd have to implement our own proxy client that does the http |
There's a known issue that if govc client is using http proxy, then its connection need to be insecure. Here's the known issue: vmware/govmomi#2494 Signed-off-by: Hanlin Shi <shihanlin9@gmail.com>
This issue is stale because it has been open for 90 days with no |
/remove-lifecycle stale |
This issue is stale because it has been open for 90 days with no |
/remove-lifecycle stale |
Describe the bug
When proxy environment variables (e.g.
HTTP_PROXY
,HTTPS_PROXY
) are set, govc client will bypass the thumbprint validation.To Reproduce
Steps to reproduce the behavior:
Expected behavior
When proxy environment variables are being configured, the thumbprint validation in govc client is bypassed. If user are using username/password together with thumbprint to validate the vCenter server, then there's no certificated being distributed to the server thus client won't find and SAN matching vCenter server as there's no CA cert at all and the request will fail.
Affected version
Please provide details on the version used, e.g. release tag, commit, module version, etc.
Screenshots/Debug Output
The content of
known_hosts
file is:Communication with vCenter works:
You can see that the request is forwarded successfully by the proxy.
3. Try previous govc command again with proxy configs and failed:
Additional context
Need to prevent golang from overwriting the transport functionality that skips the thumbprint validation.
The text was updated successfully, but these errors were encountered: